Rootkit.TDSS
Posted: April 3, 2009
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 934 |
| First Seen: | November 30, 2010 |
|---|---|
| OS(es) Affected: | Windows |
Rootkit.TDSS is a generic label for any one of many types of TDSS rootkit (also known as Alureon Trojans or Tidserv Trojans and associated with DNS Changer) components to create serious security violations in an infected PC. As a rootkit, Rootkit.TDSS uses especially-advanced features to conceal itself and protect itself from deletion, and some variants of Rootkit.TDSS may even be able to run in Safe Mode. Regardless of which variants of Rootkit.TDSS are attacking your PC, SpywareRemove.com malware researchers have found that all types of Rootkit.TDSS infections are dangerous security attacks that can be involved in theft of private information, browser hijacks, the installation of additional types of PC threats, Distributed-Denial-of-Service attacks and other forms of criminal control over your computer. You should use powerful and up-to-date anti-malware programs to find and remove Rootkit.TDSS, since manual detection or deletion of Rootkit.TDSS is, at best, an unlikely and last resort.
Why You Will Not See Rootkit.TDSS... Unless You Have a Little Outside Help
Even though all rootkits are known for using stealth-related features, Rootkit.TDSS family rootkits are especially-infamous for their advanced structures that allow them to avoid being noticed unless caught by appropriate security software. Variants of Rootkit.TDSS infections have been known to use memory-injection techniques to hide their activities inside of normal system processes, hide themselves as malicious drivers, hide themselves as .dll files and even scatter their components in a semi-random fashion throughout a hard drive. In most cases, a single Rootkit.TDSS will be accompanied by other Rootkit.TDSS files that serve different functions (such as loading additional TDSS components or causing specific attacks like browser redirects).
Because Rootkit.TDSS is a generic label that can apply to many types of TDSS files, you may also see Rootkit.TDSS identified by a huge range of aliases that are dependent on the type of anti-malware scanner that you use to detect Rootkit.TDSS. A few examples of some of the many TDSS components that SpywareRemove.com malware experts have seen include BackDoor.Tdss.5070, BOO/Tdss.M, TDSS.e!rootkit, Rootkit TDSS.d and TDSS.d!men. Unless you've taken extra steps to stop Rootkit.TDSS from being loaded, you should assume that Rootkit.TDSS is active on your PC, even if Rootkit.TDSS doesn't show a distinct memory process or file.
Some of the Endless Heads of the Rootkit.TDSS Hydra
Attacks based on a Rootkit.TDSS infection can take a nearly infinite range of forms, given Rootkit.TDSS's ability to update its behavior based on instructions from a command server. Nonetheless, SpywareRemove.com malware researchers have found that some of Rootkit.TDSS's most common uses and behaviors include:
- Web browser redirects to malicious sites. These sites can include phishing sites that try to steal private information or sites that install harmful software via drive-by-download scripts.
- Software-blocking behavior that prevents you from using other programs. Programs that are most-likely to be targeted by these Rootkit.TDSS attacks are those that could help you remove Rootkit.TDSS (such as anti-malware applications). In such instances, you may need to rename the program file or disable Rootkit.TDSS before you can access software that will delete Rootkit.TDSS in a safe manner.
- The installation of other types of harmful software that may or may not be obviously-visible. This can extend to keyloggers, Trojan droppers, worms or rogue security programs.
Aliases
More aliases (101)
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to Rootkit.TDSS may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
* See Free Trial offer below. EULA and Privacy/Cookie Policy.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%WINDIR%\System32\drivers\_VOIDhrotxiltat.sys
File name: _VOIDhrotxiltat.sysSize: 42.49 KB (42496 bytes)
MD5: 89b56f6143f7c1ad44cd10f46700b9da
Detection count: 31
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\System32\drivers
Group: Malware file
Last Updated: October 14, 2011
%WINDIR%\system32\tcppid.sys
File name: tcppid.sysSize: 2.3 KB (2304 bytes)
MD5: c72311b8d604a3e3e9b36df733f30843
Detection count: 16
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\system32
Group: Malware file
Last Updated: December 8, 2010
%WINDIR%\system32\isaxbox.sys
File name: isaxbox.sysSize: 2.3 KB (2304 bytes)
MD5: 5a7eef7dcdae6912afe7f50983d5520f
Detection count: 12
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\system32
Group: Malware file
Last Updated: December 8, 2010
C:\WINDOWS\system32\UAC[RANDOM].dat
File name: C:\WINDOWS\system32\UAC[RANDOM].datFile type: Data file
Mime Type: unknown/dat
Group: Malware file
C:\WINDOWS\system32\UAC[RANDOM].dll
File name: C:\WINDOWS\system32\UAC[RANDOM].dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\UAC[RANDOM].db
File name: C:\WINDOWS\system32\UAC[RANDOM].dbMime Type: unknown/db
Group: Malware file
C:\WINDOWS\_VOID[RANDOM]\
File name: C:\WINDOWS\_VOID[RANDOM]\Group: Malware file
C:\WINDOWS\_VOID[RANDOM]\_VOIDd.sys
File name: C:\WINDOWS\_VOID[RANDOM]\_VOIDd.sysFile type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\system32\_VOID[RANDOM].dll
File name: C:\WINDOWS\system32\_VOID[RANDOM].dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\_VOID[RANDOM].dat
File name: C:\WINDOWS\system32\_VOID[RANDOM].datFile type: Data file
Mime Type: unknown/dat
Group: Malware file
C:\WINDOWS\system32\uacinit.dll
File name: C:\WINDOWS\system32\uacinit.dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\uactmp.db
File name: C:\WINDOWS\system32\uactmp.dbMime Type: unknown/db
Group: Malware file
C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
File name: C:\WINDOWS\SYSTEM32\4DW4R3sv.datFile type: Data file
Mime Type: unknown/dat
Group: Malware file
C:\WINDOWS\SYSTEM32\4DW4R3c.dll
File name: C:\WINDOWS\SYSTEM32\4DW4R3c.dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\SYSTEM32\4DW4R3[RANDOM].dll
File name: C:\WINDOWS\SYSTEM32\4DW4R3[RANDOM].dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
File name: C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sysFile type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3[RANDOM].sys
File name: C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3[RANDOM].sysFile type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\system32\drivers\_VOID[RANDOM].sys
File name: C:\WINDOWS\system32\drivers\_VOID[RANDOM].sysFile type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\system32\drivers\UAC[RANDOM].sys
File name: C:\WINDOWS\system32\drivers\UAC[RANDOM].sysFile type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\Temp\_VOID[RANDOM]tmp
File name: C:\WINDOWS\Temp\_VOID[RANDOM]tmpGroup: Malware file
C:\WINDOWS\Temp\UAC[RANDOM].tmp
File name: C:\WINDOWS\Temp\UAC[RANDOM].tmpFile type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
%Temp%\_VOID[RANDOM].tmp
File name: %Temp%\_VOID[RANDOM].tmpFile type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
%Temp%\UAC[RANDOM].tmp
File name: %Temp%\UAC[RANDOM].tmpFile type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
C:\Documents and Settings\<username>\Application Data\_VOIDmainqt.dll
File name: C:\Documents and Settings\<username>\Application Data\_VOIDmainqt.dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
More files
Agreed Chester.If the FBI are continuing to run these DNS servres, presumably they are recording the IP addresses of computers issuing incoming DNS requests. I also assume that any computers using US Government IP addresses have already been de-loused. How about either informing the ISPs issuing those IP addresses or posting those IP addresses on the net?I like the suggestion made by Michael S but suspect that most people will not understand that the page is genuine. It would look like a new form of false Anti-Virus.